From b8c2abfc155931c86f3280799c57db91fa83c53f Mon Sep 17 00:00:00 2001
From: Mauri de Souza Meneguzzo <mauri870@gmail.com>
Date: Mon, 16 Oct 2023 00:15:08 +0000
Subject: [PATCH] [internal-branch.go1.20-vendor] http2: fix underflow in http2
 server push

After CL 534215 was merged to fix a CVE it introduced
an underflow when we try to decrement sc.curHandlers
in handlerDone.

The func startPush calls runHandler without incrementing
curHandlers. Seems to only affect users of http.Pusher.

For golang/go#63511
For golang/go#63740

Change-Id: Ic537c27c9945c2c2d4306ddb04e9527b65cee320
GitHub-Last-Rev: 249fe55f7501ca607f70e8050c6546995cd808e8
GitHub-Pull-Request: golang/net#197
Reviewed-on: https://go-review.googlesource.com/c/net/+/535595
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Mauri de Souza Meneguzzo <mauri870@gmail.com>
(cherry picked from commit 37479d671cd577ab022df2c2b7164ddc8ad735f7)
Reviewed-on: https://go-review.googlesource.com/c/net/+/537956
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 http2/server.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/http2/server.go b/http2/server.go
index e4a9f44b..dff2bb85 100644
--- a/http2/server.go
+++ b/http2/server.go
@@ -3204,6 +3204,7 @@ func (sc *serverConn) startPush(msg *startPushRequest) {
 			panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
 		}
 
+		sc.curHandlers++
 		go sc.runHandler(rw, req, sc.handler.ServeHTTP)
 		return promisedID, nil
 	}